Method and system for limiting data accessibility in composed systems
Abstract
A system for managing composed information handling systems to manage access to data by applications hosted by the composed information handling systems includes a system control processor that instantiates a composed information handling system using a compute resource set that hosts applications and a hardware resource set that stores a portion of the data, associates, using authorization information, storage areas of the at least one hardware resource set with the applications to obtain storage area associations, obtains a data access request from the compute resource set for the portion of the data which is stored in a storage area of the storage areas, makes a determination, based on the storage area associations and an initiator of the data access request, that the initiator of the data access request is not authorized to access the portion of the data, and refuses to service the data access request.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A system for managing composed information handling systems to manage access to data by applications hosted by the composed information handling systems, comprising:
a storage for storing authorization information; and
a system control processor manager programmed to:
instantiate a composed information handling system of the composed information handling systems using an at least one compute resource set that hosts at least one of the applications and at least one hardware resource set that stores a portion of the data;
associate, using the authorization information, storage areas of the at least one hardware resource set with the applications to obtain storage area associations;
obtain a data access request from the at least one compute resource set for the portion of the data which is stored in a storage area of the storage areas;
make a determination, based on the storage area associations and an initiator of the data access request, that the initiator of the data access request is not authorized to access the portion of the data;
refuse, based on the determination, to service the data access request;
identify a monitoring trigger event associated with monitoring modifications to the initiator, wherein the monitoring trigger event is the refusal to service the data access request;
in response to identifying the monitoring trigger event, make a second determination that the initiator was unknowingly modified; and
perform a remediation action set based on the second determination.
2. The system of claim 1 , wherein the storage area associations specify that the initiator is not associated with the storage area.
3. The system of claim 2 , wherein the initiator of the data access request is an application of the at least one of the applications.
4. The system of claim 1 , wherein the data access request indicates an identity of the initiator and the storage area.
5. The system of claim 1 , wherein instantiating a composed information handling system of the composed information handling systems using a compute resource set that executes at least one of the applications and a hardware resource set that stores a portion of the data comprises preparing at least one control resource set to provide management services for the at least one compute resource set and the at least one hardware resource set.
6. The system of claim 5 , wherein the at least one control resource set comprises a system control processor.
7. The system of claim 6 , wherein the management services comprise:
intercepting data access requests from the at least one compute resource set by presenting the hardware resource set as bare metal resources; and
monitoring the applications to identify potentially compromised applications based on the intercepted data access requests and monitoring trigger events.
8. A method for managing composed information handling systems to manage access to data by applications hosted by the composed information handling systems, comprises:
instantiating a composed information handling system of the composed information handling systems using an at least one compute resource set that executes hosts at least one of the applications and an at least one hardware resource set that stores a portion of the data;
associating, using authorization information, different storage areas of the at least one hardware resource set with the applications to obtain storage area associations;
obtaining a data access request from the at least one compute resource set for the portion of the data which is stored in a storage area of the storage areas;
making a determination, based on the storage area associations and an initiator of the data access request, that the initiator of the data access request is not authorized to access the portion of the data;
refusing, based on the determination, to service the data access request;
identifying a monitoring trigger event associated with monitoring modifications to the initiator, wherein the monitoring trigger event is the refusal to service the data access request;
in response to identifying the monitoring trigger event, making a second determination that the initiator was unknowingly modified; and
performing a remediation action set based on the second determination.
9. The method of claim 8 , wherein the storage area associations specify that the initiator is not associated with the storage area.
10. The method of claim 9 , wherein the initiator of the data access request is an application of the at least one of the applications.
11. The method of claim 8 , wherein the data access request indicates an identity of the initiator and the storage area.
12. The method of claim 8 , wherein instantiating a composed information handling system of the composed information handling systems using a compute resource set that executes at least one of the applications and a hardware resource set that stores a portion of the data comprises preparing at least one control resource set to provide management services for the at least one compute resource set and the at least one hardware resource set.
13. The method of claim 12 , wherein the at least one control resource set comprises a system control processor.
14. The method of claim 13 , wherein the management services comprise:
intercepting data access requests from the at least one compute resource set by presenting the hardware resource set as bare metal resources; and
monitoring the applications to identify potentially compromised applications based on the intercepted data access requests and monitoring trigger events.
15. A non-transitory computer readable medium comprising computer readable program code, which when executed by a computer processor enables the computer processor to perform a method for managing composed information handling systems to manage access to data by applications hosted by the composed information handling systems, the method comprising:
instantiating a composed information handling system of the composed information handling systems using an at least one compute resource set that executes hosts at least one of the applications and an at least one hardware resource set that stores a portion of the data;
associating, using authorization information, different storage areas of the at least one hardware resource set with the applications to obtain storage area associations;
obtaining a data access request from the at least one compute resource set for the portion of the data which is stored in a storage area of the storage areas;
making a determination, based on the storage area associations and an initiator of the data access request, that the initiator of the data access request is not authorized to access the portion of the data;
refusing, based on the determination, to service the data access request;
identifying a monitoring trigger event associated with monitoring modifications to the initiator, wherein the monitoring trigger event is the refusal to service the data access request;
in response to identifying the monitoring trigger event, making a second determination that the initiator was unknowingly modified; and
performing a remediation action set based on the second determination.
16. The non-transitory computer readable medium of claim 15 , wherein the storage area associations specify that the initiator is not associated with the storage area.
17. The non-transitory computer readable medium of claim 16 , wherein the initiator of the data access request is an application of the at least one of the applications.
18. The non-transitory computer readable medium of claim 15 , wherein the data access request indicates an identity of the initiator and the storage area.
19. The non-transitory computer readable medium of claim 15 , wherein instantiating a composed information handling system of the composed information handling systems using a compute resource set that executes at least one of the applications and a hardware resource set that stores a portion of the data comprises preparing at least one control resource set to provide management services for the at least one compute resource set and the at least one hardware resource set.
20. The non-transitory computer readable medium of claim 19 , wherein the at least one control resource set comprises a system control processor.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.